Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

ANNOUNCEMENT: Answers is being migrated to a brand new platform! answers.splunk.com will be read-only from 5:00pm PDT June 4th - 9:00am PDT June 9th. Please read this Answers thread for all details about the migration.

Welcome to Splunk Answers! Not what you were looking for? Refine your search.

Automatic field extractions from a quoted string

0

Our nginx access logs use a quoted string when dumping cookies. It ends up looking something like this:

"cookie_a=value_a; cookie_b=value_b; cookie_c=value_c" 192.168.1.1

The trouble comes when the auto-extractor hits cookie_c and sees the quote as the beginning of a quoted string. It then gobbles up all the fields after the cookie and dumps them into that field. Because cookie order isn't deterministic, you end up with a certain percentage of cookie_c values that are correct and a smaller number that are not.

Is there anyway to offer a hint to the auto-extractor to make this not happen?

People who like this

1 Answer

Yes of course! your can create your search time field extraction with props.conf edit. Let's suppose that The field should be extracted from events related to the accesslogs sourcetype. 1. Create your own props.conf file, and put it in $SPLUNK_HOME/etc/apps/yourappname/local. 2. configure your stanza like this:

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.